SSH completely locks up if you have a NOT PERFECT con

Robin dovecot at
Sun Aug 31 13:08:42 EST 2014

On 8/28/2014 9:20 AM, Anonymous wrote:
> This is a SSH BUG !

It sounds like your main problem is with the specification of TCP, not 
SSH.  TCP/IP was developed with a few overarching assumptions:

1) Your own (source interface) IP#s and possibly the server's didn't 
change "often".  I am pretty sure its original designers didn't develop 
TCP in an environment "featuring" bouncing IP#s from flaky WiFi spots' 
DHCP implementations issuing you a new IP# all the time when your link 

2) The route path to your server was reasonably stable, and fairly 
static.  Most of the transient path-'outages' are usually due to some 
leg's BGP changes or flakiness.  Occasionally, connections get 
half-broken, even if both sides don't notice any especial "outage" to 
the Internet-at-large.

Projects with security as their first priority generally don't have the 
mandate, let alone resources to try to work around all of the problems 
caused by the "modern flaky reality" of Internet connectivity.

TCP's always had a problem of detecting half-broken connections on the 
server side when the normal "idle" state of the server is awaiting for 
input from the client.  With TCP - unless you enable KEEPALIVES or build 
in a "HEARTBEAT" into your protocol, you generally don't know the link's 
dead until you try to send data to your endpoint.

If you really do want "auto-closure" of half-disconnected connections, 
there are many options open to you, ranging from a mix of enabling TCP 
keep-alives with semi-shortish timeout intervals (note, this isn't 
protected by any crypto or MAC of any kind), to enabling an "SSH inband 
'ping'" to more securely implement a "heartbeat" type of functionality.

Read the manuals, educate yourself about your kernel's TCP stack tuning 
knobs (if you can even get at those on your system), but don't shriek 
like a lunatic to every software project that inherits the limitations 
of underlying protocols and demand that they redress the accumulated 
shortcomings of decades of ad-hoc and often chaotic "progress" that have 
exposed the cracks in a 30+ year old networking specification.

Not an SSH Bug, but a USER Bug.


More information about the openssh-unix-dev mailing list